Threats and Countermeasures Guide: External Storage Devices

Updated: May 12, 2012

Applies To: Windows 7, Windows Server 2008 R2

This section of the Threats and Countermeasures Guide discusses Group Policy settings that can be used by administrators to limit, prevent, or allow the use of external storage devices in networked computers.

Overview

A growing variety of external storage devices can be connected to personal computers and servers that are running the Windows® operating system. Many users now expect to be able to install and use these devices in the office, at home, and in other locations. For administrators, these devices pose potential security and manageability challenges, such as:

  • Protecting against data loss due to unauthorized copying of the organization's data.

  • Restricting users' ability to copy or load unauthorized data and applications to the organization's servers and client computers.

  • Preventing users from installing device drivers for unauthorized devices.

  • Preventing users from installing device drivers from unauthorized locations.

  • Help protect against potential malware programs, such as Conficker, which are capable of using external storage devices to install themselves in the system and spread throughout the network.

The Group Policy settings discussed in this section can be used to limit, prevent, or enable these situations. The default value for these policy settings is Not configured.

These policy settings are located in the following locations under Computer Configuration\Administrative Templates\System:

  • Device Installation\Device Installation Restrictions

  • Device Redirection\Device Redirection Restrictions

  • Driver Installation

  • Enhanced Storage Access

  • Removable Storage Access

These policy settings are located in the following locations under Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies:

  • Turn off AutoPlay

  • Don’t set the always do this check box

  • Turn off AutoPlay for non-volume devices

  • Default behavior for AutoRun

Additional Group Policy settings that can be used to manage the installation or use of external storage devices are covered in other sections of this guide. These policy settings include:

Also in Threats and Countermeasures Guide: System Services, there is information about the following services that can be used to manage external storage devices:

  • The SSDP Discovery service, which supports peer-to-peer Plug and Play functionality for network devices and services.

  • The Portable Device Enumerator Service, which enforces Group Policy settings for removable mass-storage devices.

  • The Windows Update service, which enables the download and installation of security updates for Windows and Office, in addition to device drivers and device driver updates.

For more information that can assist you in managing external storage devices, see the following sections of Using Windows 7 and Windows Server 2008 R2: Controlling Communication with the Internet:

Device installation restrictions

A rapidly growing number and variety of new devices can be installed on a computer. To support these devices and the legitimate user scenarios that they enable, Microsoft® has simplified the process whereby authenticated users can locate and install device drivers that allow these devices to work with the Windows operating system. This simplified installation process is designed to reduce network support costs, because administrators no longer need to install devices on behalf of users or grant administrator permissions to users so that they can install and manage devices. However, many organizations still require some restrictions for device installation, based on a device or device class.

Possible values:

  • Enabled

  • Disabled

  • Not configured

Vulnerability

Allowing users to manage and use external devices without restrictions can expose an organization to the following risks:

  • Data theft. It is easier for users to make unauthorized copies of company data if they can install unapproved devices that support removable media. For example, if users can install a CD-R device, they can burn copies of company data onto a recordable CD.

  • Increase support costs. Allowing users to install and use devices that your Help Desk is not prepared to support can increase user confusion and expose the network to unapproved software that is associated with those devices.

Countermeasure

To address these concerns, you can configure Device Installation Restrictions Group Policy settings to do the following:

  • Prevent installation of all devices.

    In this scenario, the administrator wants to prevent standard users from installing any device but allow administrators to install or update devices. To implement this scenario, you must configure two computer policies: one that prevents all users from installing devices and a second policy to exempt administrators from the restrictions.

  • Allow users to install only authorized devices.

    In this scenario, the administrator wants to allow users to install only the devices that are included on a list of authorized devices. To complete this scenario, you configure and apply a Group Policy setting that includes a list of authorized devices so that users can install only the devices that you specify.

  • Prevent installation of only prohibited devices.

    In this scenario, the administrator wants to allow standard users to install most devices but prevent them from installing devices that are included on a list of prohibited devices. To complete this scenario, you must configure and apply a Group Policy setting that includes a list of prohibited devices so that users can install any device except those that you specify.

  • Control the use of removable media storage devices.

    In this scenario, the administrator wants to prevent standard users from writing data to removable storage devices or devices with removable media, such as a USB memory drive or a CD or DVD burner. To complete this scenario, you configure and apply a computer policy to allow Read access but deny Write access to a specific device or to an external writable device on a computer.

The following table provides a brief description of the device installation policy settings that are used to implement these scenarios.

Policy setting Description

Prevent installation of devices not described by other policy settings

This policy setting controls the installation of devices that are not specifically described by any other policy setting. If you enable this policy setting, users cannot install or update the driver for devices unless they are described by either the Allow installation of devices that match these device IDs policy setting or the Allow installation of devices for these device classes policy setting.

Allow administrators to override device installation policy

This policy setting allows members of the local Administrators group to install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, administrators can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device.

Prevent installation of devices that match these device IDs

This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users cannot install. If you enable this policy setting, users cannot install or update the driver for a device if any of its hardware IDs or compatible IDs match one in this list.

Note
This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device even if it matches another policy setting that would allow installation of that device.

Prevent installation of drivers matching these device setup classes

This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users cannot install. If you enable this policy setting, users cannot install or update drivers for a device that belongs to any of the listed device setup classes.

Note

This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device, even if it matches another policy setting that would allow installation of that device.

Allow installation of devices that match any of these device IDs

This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs that describe devices that users can install. This policy setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled, and it does not take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a hardware ID or compatible ID that matches an ID in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting.

Allow installation of devices using drivers for these device classes

This policy setting specifies a list of device setup class GUIDs that describe devices that users can install. This policy setting is intended to be used only when the Prevent installation of devices not described by other policy settings policy setting is enabled, and it does not take precedence over any policy setting that would prevent users from installing a device. If you enable this policy setting, users can install and update any device with a device setup class that matches one of the device setup class GUIDs in this list if that installation has not been specifically prevented by the Prevent installation of devices that match these device IDs policy setting, the Prevent installation of devices for these device classes policy setting, or the Prevent installation of removable devices policy setting. If another policy setting prevents users from installing a device, users cannot install it even if the device is also described by a value in this policy setting.

Note

These policy settings affect all users who log on to the computer where the policy settings are applied. You cannot apply these policies to specific users or groups except for the Allow administrators to override device installation policy policy setting. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section.

Potential Impact

Inform users about the external hardware that they can and cannot use so that device restrictions do not generate unnecessary Help Desk calls. In addition, because new devices and updated device drivers are being introduced all the time, it may be necessary to define, review, and update organization-wide device standards and update the device installation Group Policy settings on a regular basis.

Device Redirection Restrictions

Device Redirection Restriction Group Policy settings are designed to extend the Device Installation Restriction Group Policy settings described in the previous section by further defining and limiting the locations from which device drivers can be installed.

Possible values:

  • Enabled

  • Disabled

  • Not configured

Vulnerability

If approved locations are not available, users might install device drivers from unapproved locations.

Countermeasure

To address these concerns, you can configure the following Device Redirection Restrictions Group Policy settings to prevent users from obtaining device drivers from unapproved locations.

Policy setting Description

Prevent redirection of devices that match any of these device Ids

This policy setting prevents the redirection of specific USB devices. If you enable this policy setting, an alternate driver for the USB device cannot be loaded.

Prevent redirection of USB devices

This policy setting prevents the redirection of USB devices. If you enable this policy setting, an alternate driver for USB devices cannot be loaded.

Potential Impact

If the primary location that you specify for the device driver that supports a particular device is not available, the user cannot obtain the device driver from an alternate location. The user will only be able to install and use the specified device if the primary location you define is available.

Driver Installation

You can configure a computer policy on your computer to allow specified users to install devices from specific device setup classes. In addition, you can manage whether a user or administrator receives the prompt to search Windows Update or Windows Server Update Services (WSUS) for device drivers when one is not found locally. When you enable this policy setting, Windows Update or WSUS is searched without asking the user for permission first. This policy setting only affects a computer on which searching Windows Update or WSUS is enabled.

Possible values:

  • Enabled

  • Disabled

  • Not configured

Vulnerability

In some networks, allowing non-administrators to allow some classes of device drivers is considered a vulnerability. In addition, the ability to control whether a prompt appears allowing a user or administrator to decide whether to search Windows Update for a device driver if none is available locally can give them better control of which device drivers are installed.

Countermeasure

The following Group Policy settings can help you control whether non-administrators can install drivers for specified classes of devices and whether users or administrators receive a prompt when a device driver is not found locally.

Policy setting Description

Allow non-administrators to install drivers for these device setup classes

This policy setting allows administrators to specify a list of device setup class GUIDs that describe device drivers that non-administrator members of the built-in Users group can install on the system. If you enable this policy setting, members of the Users group can install new drivers for the specified device setup classes. The drivers must be signed according to the Windows Driver Signing Policy or be signed by publishers that are already in the TrustedPublisher store.

Turn off Windows Update device driver search prompt

This policy setting specifies whether the administrator will be prompted before using Windows Update to search for device drivers.

Note
This policy setting has an effect only if the Turn off Windows Update device driver searching policy setting in Administrative Templates\System\Internet Communication Management\Internet Communication settings is disabled or not configured.

If you enable this policy setting, administrators will not be prompted to search Windows Update.

Potential Impact

Enabling non-administrators to install device drivers can reduce the number of help desk calls when users attempt to install hardware, but it increases the risk that non-approved devices are installed.

Enhanced Storage Access

Enhanced Storage devices are devices that support the IEEE 1667 protocol to provide functions such as authentication at the hardware level of the storage device. These devices enhance data protection if a device is lost or stolen.

Possible values:

  • Enabled

  • Disabled

  • Not configured

Vulnerability

These devices can be very small, such as USB flash drives, to provide a convenient way to store and carry data. At the same time, the small size makes it very easy for the device to be lost, stolen, or misplaced. By supporting authentication at the device level, it becomes less likely that the data on the device will be compromised, even if the device is lost or stolen.

Countermeasure

The Enhanced Storage Access policy settings enable you to use Group Policy to administer policies for Enhanced Storage devices that support certificate and password authentication silos in your organization.

For definitions of various storage devices, see Definitions for Storage Silo Drivers in the MSDN Library.

The following Group Policy settings control the behavior of Enhanced Storage devices.

Policy setting Description

Allow Enhanced Storage certificate provisioning

This policy setting allows users to provision certificates on devices that support the Certificate Authentication Silo.

Note
This policy setting is applicable only to Enhanced Storage devices that support the Certificate Authentication Silo.

Allow only USB root hub connected Enhanced Storage devices

This policy setting allows only Enhanced Storage devices that are connected to USB root hubs.

Configure list of approved Enhanced Storage devices

This policy setting allows you to configure a list of devices by manufacturer and product ID that are allowed on the computer.

Note

Manufacturer ID is a six-character value. Product ID is up to 40 characters in length. To specify that all devices by a manufacturer are allowed, type the manufacturer ID. To specify that only specific devices by a manufacturer are allowed, type the manufacturer ID, a hyphen, and the product ID or IDs of the allowed devices; for example: <Manufacturer ID>-<Product ID>. The manufacturer ID and the product ID values are case-sensitive. Contact the device manufacturer to get the manufacturer and product ID values.

Configure list of approved IEEE 1667 silos

This policy setting allows you to create a list of approved silos that can be used on the computer.

The Certificate Authentication Silo is always on the approved list.

Do not allow password authentication of Enhanced Storage devices

This policy setting blocks the use of a password to unlock an Enhanced Storage device.

Do not allow non-Enhanced Storage removable devices

This policy setting limits the use of removable devices to Enhanced Storage devices and blocks the use of other storage devices on the computer.

Lock Enhanced Storage when the machine is locked

This policy setting locks the device when the computer is locked.

Potential Impact

Enhanced Storage devices can enhance data protection, but they may require additional user education to use properly.

Removable Storage Access

Removable storage such as CD, DVD, and USB drives support a wide variety of scenarios, including data backup, software installation (especially when network access is not available), and easy access to multimedia training materials.

Possible values:

  • Enabled

  • Disabled

  • Not configured

Vulnerability

Removable storage devices such as read-only and read-write CD and DVD drives, USB drives, and tape drives can pose security concerns such as the risk of introducing malware onto network computers, the installation of unapproved software, and data theft.

Countermeasure

An administrator can apply Group Policy settings to control whether users can read from or write to any device with removable media. These policy settings can be used to help prevent sensitive or confidential material from being written to removable media.

You can apply these policy settings at the computer level so they affect every user who logs on to the computer. You can also apply them at the user level and limit enforcement to specific user accounts.

Important

These removable storage access policies do not affect software that runs in the System account context, such as the ReadyBoost® technology in Windows. However, any software that runs under the security context of the current user might be affected by these restrictions. For example, if the Removable Disks: Deny write access policy setting is in effect for a user, even if that user is an administrator, then the BitLocker™ setup program cannot write its startup key to a USB drive. You might want to consider applying the restrictions to only users and groups other than the local Administrators group.

The Removable Storage Access policy settings also include a setting to allow an administrator to force a restart. If a device is in use when a restricting policy is applied, the policy might not be enforced until the computer is restarted. Use the policy setting to force a restart if you do not want to wait until the next time the user restarts the computer. If the restricting policies can be enforced without restarting the computer, then the restart option is ignored.

The policy settings can be found in two locations. The policy settings found in Computer Configuration\Administrative Templates\System\Removable Storage Access affect a computer and every user who logs on to it. The policy settings found in User Configuration\Administrative Templates\System\Removable Storage Access affect only the users to whom the policy setting is applied, including groups if Group Policy is applied by using Active Directory Domain Services.

The following Group Policy settings enable you to control Read or Write access to removable storage drives. Each device category supports two policies: one to deny Read access and one to deny Write access.

Policy settings Description

Time (in seconds) to force reboot

This policy setting sets the amount of time (in seconds) that the system will wait to restart to enforce a change in access rights to removable storage devices. The restart is only forced if the restricting policies cannot be applied without it.

Note
If the policy change affects multiple devices, the change is enforced immediately on all devices that are not currently in use. If any of the affected devices are in use so that the change cannot be immediately enforced, then this policy to restart the computer will be enforced, if it was enabled by the administrator.

CD and DVD: Deny execute access

This policy setting allows you to deny Read or Write access to devices in the CD and DVD removable storage class, including USB connected devices.

Important

Some non-Microsoft CD and DVD burner software interacts with the hardware in a way that is not prevented by this policy setting. If you want to prevent all writing to CD or DVD burners, you might want to consider applying Group Policy to prevent the installation of that software.

CD and DVD: Deny read access

This policy setting allows you to deny Read access to devices in the CD and DVD removable storage class, including USB connected devices.

CD and DVD: Deny write access

This policy setting allows you to deny Write access to devices in the CD and DVD removable storage class, including USB connected devices.

Important

Some non-Microsoft CD and DVD burner software interacts with the hardware in a way that is not prevented by the policy. If you want to prevent all writing to CD or DVD burners, you might want to consider applying a Group Policy setting to prevent the installation of that software.

Custom Classes: Deny read access

This policy setting allows you to deny Read access to any device with a Device Setup Class GUID that is found in the lists you provide.

Custom Classes: Deny write access

This policy setting denies Write access to custom removable storage classes that you specify.

Floppy Drives: Deny execute access

This policy setting allows you to deny Execute access to devices in the Floppy Drive class, including USB connected devices.

Floppy Drives: Deny read access

This policy setting allows you to deny Read access to devices in the Floppy Drive class, including USB connected devices.

Floppy Drives: Deny write access

This policy setting allows you to deny Write access to devices in the Floppy Drive class, including USB connected devices.

Removable Disks: Deny execute access

This policy setting allows you to deny Execute access to removable devices that are emulate hard disks, such as USB memory drives or external USB hard disk drives.

Removable Disks: Deny read access

This policy setting allows you to deny Read access to removable devices that are emulate hard disks, such as USB memory drives or external USB hard disk drives.

Removable Disks: Deny write access

This policy setting allows you to deny Write access to removable devices that emulate hard disks, such as USB memory drives or external USB hard disk drives.

Tape Drives: Deny execute access

This policy setting allows you to deny Execute access to tape drives, including USB connected devices.

Tape Drives: Deny read access

This policy setting allows you to deny Read access to tape drives, including USB connected devices.

Tape Drives: Deny write access

This policy setting allows you to deny Write access to tape drives, including USB connected devices.

WPD Devices: Deny read access

This policy setting allows you to deny Read access to devices in the Windows Portable Device class, such as media players, mobile phones, and Windows CE devices.

WPD Devices: Deny write access

This policy setting allows you to deny Write access to devices in the Windows Portable Device class, such as media players, mobile phones, and Windows CE devices.

All Removable Storage classes: Deny all access

This policy setting takes precedence over any of the policy settings in this list, and if enabled, it denies Execute, Read, and Write access to any device that is identified as using a removable storage device.

All Removable Storage: Allow direct access in remote sessions

This policy setting grants users direct access to removable storage devices in remote sessions.

Potential Impact

Removable storage devices such as CD and DVD drives, removable disks, mobile phones, and tape drives have proliferated in the last few years, and users have come to rely on them to copy and transfer data from location to location. Restricting a user's ability to use these devices to read or write data may prevent or make it more difficult for them to complete some legitimate organization tasks, such as viewing DVD-based training materials or backing up data. If you implement removable storage device restrictions, you may need to provide alternate means, such as providing training kiosks or providing network-based backup, for these tasks to be completed.

AutoPlay and AutoRun policies

AutoPlay and AutoRun capabilities offer users simplified access to resources on removable storage devices.

Possible values:

  • Enabled

  • Disabled

  • Not configured

Vulnerability

AutoPlay and AutoRun capabilities can pose potential risks when malware is present on these devices, and they are allowed to run without user intervention.

The AutoPlay and AutoRun policy settings enable you to use Group Policy to administer policies for files that are stored on enhanced storage devices or that are downloaded to computers in your organization.

The following Group Policy settings control the behavior of AutoPlay and AutoRun.

Policy setting Description

Turn off AutoPlay

Turns off the AutoPlay feature.

AutoPlay begins reading from a drive as soon as you insert media into the drive. As a result, the setup file of programs and the music on audio media start immediately.

If you enable this setting, you can disable AutoPlay on CD-ROM and removable media drives, or disable AutoPlay on all drives.

This setting disables AutoPlay on additional types of drives. You cannot use this setting to enable AutoPlay on drives when it is disabled by default.

Note
This setting appears in the Computer Configuration and the User Configuration folders. If the settings conflict, the setting in Computer Configuration takes precedence over the setting in User Configuration.

Don’t set the always do check box

If this policy is enabled, the "Always do this..." check box in AutoPlay will not be set by default when the dialog is shown.

Turn off AutoPlay for non-volume devices

If this policy is enabled, AutoPlay will not be enabled for non-volume devices like MTP devices. If you disable or not configure this policy, AutoPlay will continue to be enabled for non-volume devices.

Default behavior for AutoRun

Sets the default behavior for AutoRun commands. AutoRun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.

The default behavior in Windows Vista and later is to prompt the user whether the AutoRun command is to be run.

If you disable or do not configure this policy, Windows Vista will prompt the user whether the AutoRun command is to be run.

If you enable this policy, an Administrator can change the default behavior in Windows for AutoRun to:

  1. Completely disable AutoRun commands

  2. Automatically execute the AutoRun command.

Potential Impact

Restricting or blocking AutoPlay and AutoRun capabilities can enhance system security, but they may require additional user education to determine when such files can be run safely.